Scalix Forums

Hello,

Our mail server is having a problem with the SMTP Relay. The issue is that it will not actually stop or get aborted, but it will stop working and when that happens mail does not get sent from external email to our mail boxes - internally works fine.

I have nagios setup to monitor services and the report for SMTP is:CRITICAL - Socket timeout after 10 seconds when the issue occurs.

This is a major issue because if I am not at work and do not see this then mail will not get delivered for hours on end.

I would like to find out how to

A. Resolve the problem or B. not use the smtp relay and just use sendmail.

Right now in sendmail.cf we have:
O DaemonPortOptions=Port=smtp, Addr=127.0.0.1, Name=MTA
O DaemonPortOptions=Port=smtps, Addr=127.0.0.1, Name=TLSMTA, M=s

If I take out the 127.0.0.1 part then mail will work w/out smtp relay, however when sending from webmail it goes to the drafts.

Either way would like some suggestions on what I could do to solve the issue.

Thanks!

Make sure SUBMIT=ON is in your SMTPD.CFG. Add SMTP=OFF just above that. Ensure that in the [SUMBIT] section the server is listening on port 587. Restart the SMTP gateway and check that it is only listening on 587 now.

Then in swa.properties add :587 to the SMTP server directive and restart and retest SWA

Valerion -

Thanks I will be in the office tomorrow and will make those changes - will let you know how it works out.

Valerion -

Quick follow up questions- by making these config changes - what does this exactly do? Make it so it listens on port 587 which will not be used by anything else?

Also do I still need to use the smtp relay after these changes are made?

Thanks!

If you make these changes you can switch completely to sendmail, the SMTP relay will no longer listen on port 25. The 587 (used because it is SMTP Submission, but it can be anything) is needed due to SWA insisting on SMTP Auth. This will give SWA that chance.

Valerion

That will be excellent! If I have time today I will give it a shot! Will let you know - thanks!

Valerion -

OK right now we use stunnel so our config might be a little different - I know on 11.3 we wont have to worry about it - but here are the config changes I made - it looks like this now:

smtp.cfg

# Uncomment the following lines to enable the Submission and LMTP listeners
SMTP=OFF
SUBMIT=ON
#LMTP=ON

# The following group sets the configuration for the submission listener
# This listener is only active if SUBMIT=ON is above
# By default it binds to port 587
[SUBMIT]
LISTEN=localhost:587
# Reject all anonymous connections
ANONYMOUS Log_Reject ALL

swa.properties
swa.email.smtpServer=localhost.localdomain:587

lsof -i :25
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sendmail 20572 root 4u IPv4 534165 TCP *:smtp (LISTEN)

lsof -i :587
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
omsmtpd 24873 root 4u IPv4 562370 TCP localhost.localdomain:submission (LISTEN)

I sent from webmail and Outlook no problems -

to be able to send from webmail I will need to keep the SMTP relay on correct?

Also does this look OK? I would assume the localhost is because we use stunnel - I changed in the swa.properties the localhost.localdomain part from mars.blueslate.net - when it had mars it did not work.

Thanks

I turned off the smtp relay and webmail did not work - so I am guessing the smtp relay will only be used now for webmail correct?

If it goes down it will only effect webmail users and not outlook so that is not to bad.

OK

I made the changes on the production box and now getting in the maillog:

mars.blueslate.net [17x.4.x.x] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Mail looks to be coming in and out, but think it could be rejecting some messages - why does this now show up?

Mail access file:
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
Connect:mars.blueslate.net RELAY

Any suggestions on what I need to change to fix that?

Also should the sendmail.cf file say:

O DaemonPortOptions=Port=smtp, Addr=127.0.0.1, Name=MTA
O DaemonPortOptions=Port=smtps, Addr=127.0.0.1, Name=TLSMTA, M=s

Or:
O DaemonPortOptions=Port=smtp, Name=MTA
O DaemonPortOptions=Port=smtps, Name=TLSMTA, M=s

Thanks

I have exactly the same problem.
Think that I only to stupid to configure Sendmail.
Exim is my default MTA so its a little bit different

Hope that somebody knows the answer.
Thanks in advance

Lots of questions

You can change the LISTEN= in [SUMBIT] to add listening to eth0 (separate by ,). That way you can have the submission listener authenticating outside POP3/IMAP sessions as well as SWA. I use that when my travelling employees want to send via GPRS/3G and doesn't always know which SMTP server they can send to. Also, since there is no relaying configuration, so only authenticated users can use it.

The "did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA" happens if someone violates the ESMTP protocol. sendmail is VERY strict about this and will log it, though not necessarily reject. I get this when someone telnets to port 25 without completing a transaction (my nagios does this a lot as it just checks if sendmail is listening).

DaemonPortOptions should not list localhost if you want it to listen on all addresses (as in this case). If an Addr is present, it bind only to the selected address(es), otherwise it will bind to *.

Valerion-

Thank you.

OK right now my sendmail.cf file is setup as:
O DaemonPortOptions=Port=smtp, Addr=127.0.0.1, Name=MTA
O DaemonPortOptions=Port=smtps, Addr=127.0.0.1, Name=TLSMTA, M=s

And my smtp.cfg is:
SMTPFILTER=TRUE

RELAY accept 127.0.0.1
RELAY accept .blueslate.net
RELAY accept 172.20.2.11
RELAY Log_Reject ALL


# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

# Uncomment the following lines to enable the Submission and LMTP listeners
#SUBMIT=ON
#LMTP=ON

# The following group sets the configuration for the submission listener
# This listener is only active if SUBMIT=ON is above
# By default it binds to port 587
[SUBMIT]
#LISTEN=localhost:587
# Reject all anonymous connections
ANONYMOUS Log_Reject ALL

# The following group sets the configuration for the lmtp listener
# This listener is only active if LMTP=ON is above
[LMTP]
LISTEN=localhost:24
# Use the following line to listen on a unix domain socket
#LISTEN=~/tmp/lmtp.unix

Now of course this is before the changes you have said to make. Now if I go and make the sendmail.cf file w/ no localhost and make the changes to the smtp.cfg and webmail file I get the "did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA".

If I look now at the maillog now it reads this:
Jan 14 08:45:33 mars sendmail[30775]: m0EDj8Qb030775: to=<user@blueslate.net>, delay=00:00:25, xdelay=00:00:10, mailer=relay, pri=32845, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (m0EDjNDY030799 Message accepted for delivery)

As we can see relay is 127.0.0.1 which is fine because it is in the sendmail.cf file.

When I change it how come it gives me the did not issue error?

My access file states:
Connect:localhost.localdomain RELAY
Connect:localhost RELAY
Connect:127.0.0.1 RELAY
Connect:mars.blueslate.net RELAY

Mars.blueslate.net is in there. - So the only hurdle now is to get by that error message - I mean it was happening literally every 5 seconds - so which file do I need to change so sendmail can see this is as OK?

Sorry for the long post - and thanks once again!

With the setup you have now, Scalix's SMTP Relay is listening on port 25 and sendmail is only listening on localhost, so any connection attempts will go to Scalix, not sendmail, and Scalix does not log this AFAIK.

To get rid of the message you will have to find out which process does the connection and kill it. Maybe do a packet dump, combined with a regular lsof to see which process it is? Not sure how else to trace it. Could it be that machine runs some kind of automated mailer that is misbehaving?

Valerion-

Right- when I make the change though - sendmail only listens on 25 and then smtp relay is listens on 587.

Mail comes in and out, but that message comes up every 5 seconds-if I can get rid of then I am good to go.

Machine runs nagios - but that works fine and do not see the message until I make the change - I could try it and shut nagios off to see if that is the problem - other then that nothing else runs on it.